Using SonarQube groups for ldap users

0
votes

I'm trying to achieve the following scenario in SonarQube I already enabled ldap authentication for users I do not want to use domain groups for managing permissions. Instead I would like to create pure "SonarQube only" group and add domain users to it. As an admin I can do this, and UI shows that user is added (db contains this mapping as well) but as soon as this user tries to log into the SonarQube the application drops this group mapping. I can understand why it does it, but I'm looking for a way to enable this scenario to work. This is possible with many other apps like Jira, Confluence, Nexus etc so it would sound strange if this is not possible with SonarQube at all.

sonarqube version 5.3

ldap plugin version 1.5.1

my config looks like the following

sonar.security.realm=LDAP
ldap.authentication=DIGEST-MD5

sonar.forceAuthentication=fasle

sonar.authenticator.createUsers=false
ldap.windows.compatibilityMode=false
sonar.security.updateUserAttributes=false

ldap.url=ldap://*****:389

ldap.bindDn=*****
ldap.bindPassword=******

ldap.user.baseDn=****
ldap.user.request=(&(objectCategory=User)(sAMAccountName={login}))
ldap.user.realNameAttribute=cn
ldap.windows.user.realNameAttribute=cn
ldap.user.emailAttribute=mail
1
ldapsonarqube
What does your LDAP config look like in sonar.properties ? (and please give the usual details about SonarQube/Plugin version) - Nicolas B. - SonarSource Team
I noticed this behaviour when I started, l think this requires stopping user information synchronization from LDAP server. Later I switched to use domain groups using external role mapping into roles in Nexus. It's a lot easier to native to Nexus's design. - Jirong Hu
@n_stan sure, here it is, I've updated the question - Autogen
Thanks. Is SonarQube running on a Windows machine which is part of the AD domain itself ? - Nicolas B. - SonarSource Team
@n_stan Yes, it's a windows server 2012 R2, and it's a part of domain. I use service AD account for making LPAD queries, this account can query entire AD - Autogen

1 Answers

0
votes

Set ldap.windows.auth=false in your sonar.properties. Since you did not configure the ldap.group.* properties, Group Mapping will be disabled and you can then handle groups directly in SonarQube.

Group Mapping is automatically enabled if ldap.windows.auth=true (default value on Windows), hence the behaviour you're observing (SonarQube group settings are overridden by the membership info in LDAP/AD).